Malware, Vulnerabilities, Exploits and more . . .

Bypassing Windows ASLR using “Run without permission” Add-ons

This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer.

DivX Player 10.0.2

Yahoo Messenger 11.5.0.228

AOL Instant Messenger 7.5.14.8

These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with the dynamicbase flag. These libraries can easily be loaded in Internet Explorer as they get registered on the system to run without permissions therefore no prompts are given. Below are the lists of libraries that can be loaded via ProgID or ClassID.

To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list.

The below script you can use to test if any of these libraries get loaded or just click here to run it now. Libraries taking base address 0x10000000 will get rebased if one is already loaded. Note that for the Yahoo Messenger object check does not work so will fail but the library will still get loaded if installed. Also depending where you download AOL Instant Messenger the latest version is 8.0.6.1 which does not contain isAim.dll library.